October 24, 2022

Security experts said two new extortion gangs called “TommyLeaks” and “SchoolBoys” are the same ransomware gang.

TommyLeaks ransomware gang was uncovered by security researcher MalwareHunterTeam in September, while SchoolBoys ransomware gang was uncovered in October by the same researcher.

On why the two ransomware gangs are believed to be the same, the two groups used the same Tor chat system for their negotiation sites. The same chat system was previously only used by the Karakurt extortion group.

Also, in a SchoolBoys negotiation chat shared with BleepingComputer, the threat actors greeted their victim as “TommyLeaks” in their attempts to coerce a ransom payment.

It remains unclear why they use two different names in their operation although the researchers believe they may be trying a similar approach used by Conti and Karakurt.

TommyLeaks claims to break into corporate networks, steal data and demand ransoms between $400,000 and $700,000. SchoolBoys claims to steal data and encrypt victims’ devices as part of their attacks. Investigation also showed that SchoolBoys ransomware encryptor was created using the leaked LockBit 3.0 builder.

The sources for this piece include an article in BleepingComputer.